in my webapp users have to authenticate through Kerberos and as a second step I check for their groups in AD with their UPN. The server authenticates against AD with Kerberos (SPN, Keytab) too.
I wanted to make that easier and delegate the client's credenials to take full advantage of SSO. There does not seem to be an option in the LoginContext to delegate credentials instead of using a login module with different credentials.
A web search led me to predefined login modules only :-(